Cybersecurity promotes effective security strategies while adapting to the challenges of increasing external threats and vulnerabilities. HII promotes cybersecurity as a collaborative effort of all personnel and company organizations with access to information assets and information networks.
The new DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, must be included in all new Department of Defense (DoD) prime contracts, including contracts for commercial items. The contract clause must also be flowed down to all subcontractors regardless of size and to all tiers of the DoD supply chain.
Key definitions defined by DFARS 252.204-7012:
- "Covered contractor information system" means an information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
- "Controlled technical information" means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
- "Cyber incident" means actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.
The new clause contains two principal requirements that apply to all contractors at every tier:
- Implement adequate security measures to safeguard unclassified controlled technical information within contractor information systems from unauthorized access and disclosure
- Report cyber incidents within 72 hours of the event
We encourage you to begin the process necessary to assess your information system security so that you will be prepared to certify your compliance with the clause when you respond to a future procurement solicitation or submit the annual certifications and representations.